zeek/testing/btest/Baseline/scripts.base.protocols.http.http-09 at 0003495a9bacb0689f46627fac47cd10b6c0439f - Mirror/zeek

mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00

History

Tim Wojtulewicz 0003495a9b Special case HTTP 0.9 early on Mostly, treat HTTP0.9 completely separate. Because we're doing raw delivery of a body directly, fake enough (connection_close=1, and finish headers manually) so that the MIME infrastructure thinks it is seeing a body. This deals better with the body due to accounting for the first line. Also it avoids the content line analyzer to strip CRLF/LF and the analyzer then adding CRLF unconditionally by fully bypassing the content line analyzer. Concretely, the vlan-mpls test case contains a HTTP response with LF only, but the previous implementation would use CRLF, accounting for two many bytes. Same for the http.no-version test which would previously report a body length of 280 and now is at 323 (which agrees with wireshark). Further, the mime_type detection for the http-09 test case works because it's now seeing the full body. Drawback: We don't extract headers when a server actually replies with a HTTP/1.1 message, but grrr, something needs to give I guess.	2023-03-10 09:52:34 -07:00
..
http.log	Special case HTTP 0.9 early on	2023-03-10 09:52:34 -07:00
weird.log	http: Heuristic around rejecting malformed HTTP/0.9 traffic	2022-11-18 18:19:58 +01:00

Tim Wojtulewicz 0003495a9b Special case HTTP 0.9 early on

Mostly, treat HTTP0.9 completely separate. Because we're doing raw
delivery of a body directly, fake enough (connection_close=1, and finish
headers manually) so that the MIME infrastructure thinks it is seeing a
body.

This deals better with the body due to accounting for the first line. Also
it avoids the content line analyzer to strip CRLF/LF and the analyzer
then adding CRLF unconditionally by fully bypassing the content line
analyzer.

Concretely, the vlan-mpls test case contains a HTTP response with LF only,
but the previous implementation would use CRLF, accounting for two many bytes.
Same for the http.no-version test which would previously report a body
length of 280 and now is at 323 (which agrees with wireshark).

Further, the mime_type detection for the http-09 test case works because
it's now seeing the full body.

Drawback: We don't extract headers when a server actually replies with
a HTTP/1.1 message, but grrr, something needs to give I guess.

2023-03-10 09:52:34 -07:00

http.log

Special case HTTP 0.9 early on

2023-03-10 09:52:34 -07:00

weird.log

http: Heuristic around rejecting malformed HTTP/0.9 traffic

2022-11-18 18:19:58 +01:00